Login Sign Up

CVE-2021-38511

7.5 HIGH

📋 TL;DR

This vulnerability in the Rust tar crate allows attackers to create arbitrary directories outside the intended extraction path when processing TAR archives containing symlinks. It affects any Rust application using the tar crate to extract untrusted archives. The issue enables directory traversal attacks via specially crafted symlinks.

💻 Affected Systems

Products:
  • Rust tar crate
Versions: All versions before 0.4.36
Operating Systems: All platforms where Rust runs
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that extract TAR archives, particularly from untrusted sources.

📦 What is this software?

Tar by Tar Project

View all CVEs affecting Tar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could overwrite critical system files, install backdoors, or achieve remote code execution by writing malicious files to sensitive locations.

🟠

Likely Case

Data corruption, denial of service, or privilege escalation through file manipulation in application directories.

🟢

If Mitigated

Limited to directory creation without file content control if proper sandboxing exists.

🌐 Internet-Facing: HIGH - Applications accepting untrusted TAR archives from external sources are directly vulnerable.
🏢 Internal Only: MEDIUM - Internal systems processing user-uploaded archives remain at risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a crafted TAR archive; no authentication needed if application accepts external archives.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.36 and later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0080.html

Restart Required: No

Instructions:

1. Update Cargo.toml to specify tar >= 0.4.36. 2. Run 'cargo update -p tar'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Validate archive paths before extraction

all

Implement custom validation to reject archives containing symlinks or path traversal attempts.

Implement Rust code to inspect archive entries before extraction

Use sandboxed extraction directory

all

Extract archives to isolated, temporary directories with restricted permissions.

Use tempfile crate to create secure temporary directories

🧯 If You Can't Patch

  • Disable TAR archive processing from untrusted sources
  • Implement strict input validation rejecting archives with symlinks

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for tar version < 0.4.36 or run 'cargo tree | grep tar'

Check Version:

grep -A2 'name = "tar"' Cargo.lock | grep version

Verify Fix Applied:

Confirm tar version >= 0.4.36 in Cargo.lock and test extraction with malicious archives

📡 Detection & Monitoring

Log Indicators:

  • Unexpected directory creation outside extraction path
  • Failed symlink resolution errors

Network Indicators:

  • Inbound TAR archive uploads followed by unusual file system activity

SIEM Query:

source="application.log" AND "tar extraction" AND ("symlink" OR ".." OR "directory traversal")

📊 Metadata

CVE ID: CVE-2021-38511
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-59
Published: August 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38511, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)